sync: auto-sync from HOWARD-HOME at 2026-06-25 19:48:41

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 19:48:41
This commit is contained in:
2026-06-25 19:49:08 -07:00
parent 9f5fedda06
commit 42c8b232cd

View File

@@ -0,0 +1,152 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Set up the long-deferred shared-drive access for Nick Pafford at Rednour Law Offices (Syncro
#32343, open as a P2 item since 2026-05-31). The "shared drive" was never pinned down in prior
sessions; this session identified it as the **`Documents` SMB share on REDNOURCARRIEVI**
(`C:\Users\Carrie\Documents`) by running `Get-SmbShare` across all three GuruRMM-enrolled
workstations. Rednour is a workgroup (no AD), so access requires a local Windows account on that
PC; the share was previously reached only via the local `emma` account (an active local account,
unrelated to the M365 Emma->Carla mailbox rename).
After confirming the target with Howard and collecting decisions (dedicated account, Modify
access, LAN connectivity, Apple Silicon Mac), created a dedicated standard local account `nick`
on REDNOURCARRIEVI with PasswordNeverExpires, granted **share = Change** and **NTFS = Modify**
on the Documents folder. The credential was vaulted at
`clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Howard mounted the share on Nick's Apple
Silicon Mac onsite (`smb://192.168.10.194/Documents`) and confirmed it working.
The GuruRMM macOS agent install on Nick's Mac failed. Server-side checks showed the install
script + binary endpoints both return HTTP 200 (3.96 MB single-arch aarch64), so the artifact is
served fine. Root-cause hypothesis: the served aarch64 binary is **unsigned**, and Apple Silicon
SIGKILLs unsigned Mach-O binaries, so the LaunchDaemon never runs. The repo has
`agent/build-macos-signed.sh` (signs with Mike's Developer ID + notarizes) alongside the plain
unsigned `agent/build-macos.sh` — the server is almost certainly publishing the unsigned one.
Flagged via coord todo (project gururmm) and in the wiki; deferred for a fix (Howard only had a
limited ScreenConnect support session).
Documentation was updated: wiki `clients/rednour.md` (Nick share marked done, new File Shares
section, macOS-unsigned-agent known issue, return-visit + RMM-fail open items), an errorlog
friction entry, and a new memory on the RMM Set-Acl timeout. Billing and the Syncro internal
note were explicitly deferred to tomorrow per Howard — no Syncro writes were made this session.
## Key Decisions
- **Dedicated `nick` local account** over reusing the existing `emma`/`localadmin` creds — per-user
accountability; `emma` is confusingly named and `localadmin` is over-privileged.
- **Modify (read/write)** on the Documents share, matching a normal working-folder need.
- **Generate the password locally in the Bash tool and inject via placeholder** after two RMM
command timeouts lost the on-box-generated password (stdout is dropped on timeout). Final
password was set to a Howard-specified value.
- **NTFS grant via `icacls` (folder-only ACE, inheritance handles children)** instead of
PowerShell `Set-Acl` re-stamping the whole tree, which was the step that timed out.
- **Defer all Syncro billing + the internal note to tomorrow** (Howard's call). Noted that Syncro
supports multiple invoices per ticket, so the already-Invoiced #32343 can still take a new
invoice for today's onsite labor.
- **Updated the wiki directly** (vs `/wiki-compile`) at Howard's request, given the targeted
factual changes and that he was wrapping up onsite.
## Problems Encountered
- **RMM command timeouts on ACL propagation.** PowerShell `Set-Acl` with inheritance on Carrie's
large Documents tree exceeded `timeout_seconds` (90s, then 120s); since stdout is dropped on
timeout, the randomly-generated password printed in the same script was lost twice. Resolved by
generating the password locally (retained regardless of timeout), setting it in an isolated
fast command, and applying the NTFS ACE with `icacls` (no `/T`). Logged to errorlog (`rmm/acl`,
--friction) and saved as memory `feedback_rmm_setacl_timeout_password_loss`.
- **GuruRMM macOS agent did not install** on Nick's Apple Silicon Mac — server serves the binary
fine; hypothesis is the served aarch64 binary is unsigned (SIGKILL on Apple Silicon). Deferred;
coord todo filed.
- **Ticket #32343 is `Invoiced`, not `Resolved`** (wiki was stale). A new labor line would not
land on the existing invoice; surfaced to Howard, who deferred billing to tomorrow.
## Configuration Changes
**REDNOURCARRIEVI (client machine, via GuruRMM):**
- Created local user `nick` (FullName "Nick Pafford", standard user, member of Users,
PasswordNeverExpires, AccountNeverExpires).
- `Documents` SMB share: granted `REDNOURCARRIEVI\nick` = Change.
- NTFS on `C:\Users\Carrie\Documents`: granted `REDNOURCARRIEVI\nick` = Modify (OI)(CI).
**ClaudeTools repo (committed + pushed):**
- `wiki/clients/rednour.md` — Nick share done; File Shares section; macOS-unsigned known issue;
return-visit + RMM-fail open items; contact row updated.
- `errorlog.md` — rmm/acl friction entry.
- `.claude/memory/feedback_rmm_setacl_timeout_password_loss.md` + `.claude/memory/MEMORY.md` index.
**Vault repo (committed + pushed):**
- `clients/rednour/nick-smb-rednourcarrievi.sops.yaml` — new credential entry.
## Credentials & Secrets
- **Nick Pafford SMB account** — `REDNOURCARRIEVI\nick` / `Kg5Qe2Kc3` (PasswordNeverExpires).
Vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. For SMB access to
`\\REDNOURCARRIEVI\Documents` (share=Change, NTFS=Modify). Mac mount:
`smb://192.168.10.194/Documents`.
## Infrastructure & Servers
- **REDNOURCARRIEVI** — Carrie Rednour's workstation; 192.168.10.194 (LAN) / 10.147.17.253
(ZeroTier). GuruRMM agent id `8e4e2221-7e2a-4a6f-9eda-864568539961`, client "Rednour Law
Offices", site "Main".
- **SMB shares on REDNOURCARRIEVI:** `Documents` + `ShareName` (both -> `C:\Users\Carrie\Documents`),
`Time Matters Shared Files`, `Timeslips`, `Program Files sage`, `Users`, `New folder`. Several
over-broad (Everyone=Full on Program Files/Users/Time Matters) — security cleanup candidate.
- **Local accounts on REDNOURCARRIEVI:** Carrie, emma (active), localadmin, guru,
QBDataServiceUser26, + new `nick`.
- **GuruRMM macOS install (site GREEN-FALCON-7214):** install script
`https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos` (HTTP 200); binary
`.../download/macos` (HTTP 200, 3.96 MB, single-arch aarch64, default Apple Silicon).
- **Rednour (Syncro):** customer "Rednour Law" id 1224246, prepay_hours 0.0; ticket #32343
(id 111409967) status Invoiced, owner Mike (1735).
## Commands & Outputs
```bash
# RMM auth + find Rednour agents
eval "$(bash .claude/scripts/rmm-auth.sh)"
# Get-SmbShare across 3 PCs -> Documents share on REDNOURCARRIEVI = C:\Users\Carrie\Documents
# Create account + share grant (share succeeded; Set-Acl timed out)
New-LocalUser nick / Grant-SmbShareAccess Documents Change / Set-Acl (TIMEOUT 90s)
# Recover: set known password (fast), apply NTFS via icacls (folder ACE)
Set-LocalUser nick -Password Kg5Qe2Kc3 -PasswordNeverExpires $true # OK
icacls "C:\Users\Carrie\Documents" /grant "REDNOURCARRIEVI\nick:(OI)(CI)M"
# Vault
bash .claude/skills/vault/scripts/vault-helper.sh new clients/rednour/nick-smb-rednourcarrievi ...
# Coord todo (gururmm macOS signing fix)
coord.py todo add "GuruRMM macOS agent install fails on Apple Silicon ..." --project gururmm
# id=6f2d22be-e653-48c8-9f9b-0155420b315d
```
## Pending / Incomplete Tasks
- **Syncro #32343 billing — tomorrow.** 0.5h onsite labor (product 26118, $175/hr, $87.50) for
today's share setup, plus the internal work note. Deferred by Howard. Ticket is Invoiced;
attach a new invoice (Syncro allows multiple per ticket). prepay_hours 0.0.
- **Fix GuruRMM macOS agent for Apple Silicon** (coord todo 6f2d22be) — serve the signed+notarized
arm64 binary (build-macos-signed.sh) or ad-hoc `codesign -s -` in the install script. Then enroll
Nick's Mac. Confirm root cause with Mac log (`killed: 9` / `sudo /usr/local/bin/gururmm-agent run`).
- **Auto-reconnect on Nick's Mac** — add the mounted Documents volume to System Settings > General >
Login Items (the "+" in Connect to Server only adds a Favorite, not auto-mount). To be done in
Nick's user session.
- **Return visit** — phone + printer setup at Rednour; may require running a new wire / installing a
switch.
- **Security cleanup (lower priority):** over-broad Everyone=Full shares on REDNOURCARRIEVI.
## Reference Information
- Syncro ticket #32343: https://computerguru.syncromsp.com/tickets/111409967
- Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`
- Coord todo: 6f2d22be-e653-48c8-9f9b-0155420b315d (project gururmm)
- GuruRMM agent (REDNOURCARRIEVI): 8e4e2221-7e2a-4a6f-9eda-864568539961
- macOS build scripts: `projects/msp-tools/guru-rmm/agent/build-macos.sh` (unsigned),
`build-macos-signed.sh` (Developer ID: MICHAEL PHILLIP SWANSON N2LVAL4LQP), `build-macos-pkg.sh`
- Memory: `.claude/memory/feedback_rmm_setacl_timeout_password_loss.md`